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FOREWORD 


This Indian Standard (Part 2/Sec 35) (Second Revision) was adopted by the Bureau of Indian Standards, after the 
draft finalized by the Electrical Appliances Sectional Committee had been approved by the Electrotechnical 
Division Council. 


This standard was first published in 1993, and revised in 2011. This revision has been undertaken primarily to 
align the existing standard with the latest International Standard. 


It has been assumed in the formulation of this standard that the execution of its provisions is entrusted to 
appropriately qualified and experienced persons. 


This standard recognizes the internationally accepted level of protection against hazards such as electrical, 
mechanical, thermal, fire and radiation of appliances when operated as in normal use taking into account the 
manufacturer’s instructions. It also covers abnormal situations that can be expected in practice and takes into 
account the way in which electromagnetic phenomena can affect the safe operation of appliances. 


This standard takes into account the requirements of IS 732 : 1989 ‘Code of practice for electrical wiring installations 
(third revision), as far as possible so that there is compatibility with the wiring rules when the appliance is connected 
to the supply mains. However, in case of any deviation, wiring rules take precedence. 


If an appliance within the scope of this standard also incorporates functions that are covered by another Part 2 of 
IS 302, the relevant Part 2 is applied to each function separately, as far as is reasonable. If applicable, the influence 
of one function on the other is taken into account. 


When a Part 2 standard does not include additional requirements to cover hazards dealt with in Part 1, Part 1 
applies. 


NOTE — This means that in such a case, it has been decided that for the part 2 standards, it is not necessary to specify particular 
requirements for the appliance in question over and above the general requirements. 


This standard is a product family standard dealing with the safety of appliances and takes precedence over horizontal 
and generic standards covering the same subject. 


NOTE — Horizontal and generic standards covering a hazard are not applicable since they have been taken into consideration when 
developing the general and particular requirements for the IS 302 series of standards. 


An appliance that complies with the text of this standard will not necessarily be considered to comply with the 
safety principles of the standard if, when examined and tested, it is found to have other features which impair the 
level of safety covered by these requirements. 


An appliance employing materials or having forms of construction differing from those detailed in the requirements 
of this standard may be examined and tested according to the intent of the requirements and, if found to be 
substantially equivalent, may be considered to comply with the standard. 


This standard is to be read in conjunction with the latest edition of IS 302-1 ‘Safety of household and similar 
electrical appliances : Part 1 General Requirements’ and its amendments. This standard was formulated on the 
basis of IS 302-1 : 2008. 


NOTE — When ‘Part 1’ is mentioned in this standard, it refers to IS 302-1. 


This Part 2 supplements or modifies the corresponding clauses in IS 302-1, so as to convert that standard into the 
Indian standard: Particular requirements for Electrical Instantaneous Water heaters. 


When a particular subclause of Part 1 is not mentioned in this Part 2, that subclause applies as far as is reasonable. 
When this standard states addition, modification or replacement, the relevant text in Part 1 is to be adapted 
accordingly. 


(Continued on third cover) 
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Indian Standard 


SAFETY OF HOUSEHOLD AND SIMILAR ELECTRICAL 


APPLIANCES 


PART 2 PARTICULAR REQUIREMENTS 
SECTION 35 ELECTRIC INSTANTANEOUS WATER HEATER 


(Second Revision ) 


1 SCOPE 
This clause of Part | is replaced by the following. 


This Indian Standard deals with the safety of electric 
instantaneous water heaters for household and similar 
purposes and intended for heating water below boiling 
temperature, their rated voltage being not more than 
250 V for single-phase appliances and 480 V for other 
appliances. 


NOTE 101 — Instantaneous water heaters incorporating bare 
heating elements are not permitted for safety reasons. 


Appliances not intended for normal household use but 
which nevertheless may be a source of danger to the 
public, such as appliances intended for use in shops, in 
light industry and on farms, are within the scope of this 
standard. 


As far as is practicable, this standard deals with the 
common hazards presented by appliances which are 
encountered by all persons in and around the home. 
However, in general, it does not take into account 


a) persons (including children) whose 


1. physical, sensory or mental capabilities; 
or 


2. lack of experience and knowledge 


prevents them from using the appliance safely 
without supervision or instruction; 


b) children playing with the appliance. 


NOTE 102 — Attention is drawn to the fact that for appliances 
intended to be used in vehicles or on board ships or aircraft, 
additional requirements may be necessary; 


NOTE 103 — This standard does not apply to 
1. appliances for heating liquids (IS 302-2-15); 
2 storage water heaters (IS 302-2-21); 
3. appliances intended exclusively for industrial purposes; 
4 


appliances intended to be used in locations where special 
conditions prevail, such as the presence of a corrosive 
or explosive atmosphere (dust, vapour or gas); 


5. commercial dispensing appliances and vending 
machines (IS 302-2-75 (under preparation)). 


2 REFERENCES 
This clause of Part 1 is applicable. 


3 TERMS AND DEFINITIONS 
This clause of Part 1 is applicable except as follows. 


3.1.9 Replacement: 


Normal operation 


operation of the appliance while supplied with water, 
the flow being adjusted to attain the highest outlet water 
temperature without operation of the thermal cut-out. 


3.101 Instantaneous Water Heater 


stationary appliance for heating water while it flows 
through the appliance 


Note | to entry: Instantaneous water heaters are referred to as 
water heaters. 


3.102 Closed Water Heater 


instantaneous water heater intended to operate at the 
pressure of the water system, the flow of water being 
controlled by one or more valves in the outlet system 


Note 1 to entry: The operating pressure can be the output 
pressure of a reducing or boosting device. 


3.103 Open-outlet water heater 


instantaneous water heater in which the flow of water 
is controlled by a valve in the inlet pipe, there being no 
valve in the outlet pipe 


3.104 Bare-element Water Heater 


instantaneous water heater in which uninsulated heating 
elements are immersed in the water 


NOTE — Manufacturing and use of bare-element water heaters 
are not allowed for safety reason. 


3.105 Rated pressure 


water pressure assigned to the appliance by the 
manufacturer 


3.106 Flow switch 


device that operates in response to a flow of water 


3.107 Pressure switch 


device that operates in response to a change in pressure 
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4 GENERAL REQUIREMENT 

This clause of Part 1 is applicable. 

5 GENERAL CONDITIONS FOR THE TESTS 
This clause of Part 1 is applicable except as follows. 


5.2 Addition: 


NOTE 101— Additional samples can be required for the tests 
of 22.109. 


5.3 Addition: 


When the tests are carried out on a single appliance, 
the tests of 22.102, 22.107, 22.108 and 24.102 are 
carried out before the tests of 19. 


5.7 Addition: 


Water having a temperature of 25 + 5 °C is used for 
the tests. 


6 CLASSIFICATION 


This clause of Part 1 is applicable except as follows. 


6.1 Modification: 
Water heaters shall be Class I, Class II or Class III. 


6.2 Addition: 
Water heaters shall be at least IPX1. 


NOTE — 101 Specific zones in which the water heater is 
installed require a higher degree of protection as specified in 
NEC(SP 30:2011). 


7 MARKING AND INSTRUCTIONS 


This clause of Part 1 is applicable except as follows. 


7.1 Addition: 


Appliances shall be marked with the rated pressure in 
pascals. 


7.12 Addition: 


The instructions for open-outlet water heaters to be used 
with a spray head shall state that the spray head must 
be descaled regularly. 


The instructions for an appliance not incorporating a 
flow switch shall include the substance of the following: 


WARNING: Do not switch on if there is a possibility that the 
water in the heater is frozen. 


7.12.1 Addition: 


The installation instructions for open-outlet water 
heaters shall state that the outlet must not be connected 
to any tap or fitting other than those specified. 


If a pressure relief device is required for closed water 
heaters, the instructions shall state that it must be fitted 
during installation, unless it is incorporated in the 
appliance. 


In a multiple water outlet system where the water 


temperature can be set at each individual water outlet, 
the instructions shall state the substance of the following: 


The system shall be installed so that the control for 
setting the water temperature in normal use installed at 
a shower outlet shall take priority over any other 
controls in the system that set the water temperature in 
normal use at other water outlets. 


7.101 The water inlet and water outlet shall be 
identified. This identification shall not be on detachable 
parts. If colours are used, blue shall be used for the 
inlet and red for the outlet. An alternative means of 
identification may be by means of arrows showing the 
direction of the water flow. 


Compliance is checked by inspection. 


7.102 BIS Certification Marking 


The appliances may also be marked with the Standard 
Mark. 


7.102.1 The use of the Standard Mark is governed by 
the provisions of the Bureau of Indian Standards Act, 
1986 and the Rules and Regulations made thereunder. 
The details of conditions under which the licence for 
use of the Standard Mark may be granted to 
manufacturers or producers may be obtained from the 
Bureau of Indian Standards. 


8 PROTECTION AGAINST ACCESS TO LIVE 
PARTS 


This clause of Part 1 is applicable except as follows. 
8.1.5 Addition: 


The connections to the water mains and electrical 
supply are assumed to be in position during the test. 


The requirement does not apply to wall-mounted 
appliances intended to be permanently connected to 
fixed wiring by cables having a nominal cross-sectional 
area more than 2.5 mm’. 


However, the cross-sectional area of the cable entry 
shall not exceed 25 cm? and there shall be no accessible 
live parts within the projection of the opening. 


9 STARTING OF MOTOR-OPERATED 
APPLIANCES 


This clause of Part 1 is not applicable. 

10 POWER INPUT AND CURRENT 

This clause of Part 1 is applicable. 

11 HEATING 

This clause of Part 1 is applicable except as follows. 
11.7 Replacement: 


The appliance is operated until steady conditions are 
established. 


12 VOID 

13 LEAKAGE CURRENT AND ELECTRIC 
STRENGTH AT OPERATING TEMPERATURE 
This clause of Part 1 is applicable. 


14 TRANSIENT OVERVOLTAGES 
This clause of Part 1 is applicable. 


15 MOISTURE RESISTANCE 
This clause of Part 1 is applicable except as follows. 
15.1.2 Addition: 


Wall-mounted appliances are fixed at a distance of 
3 mm from the mounting surface, unless the installation 
instructions specify a larger value. 


16 LEAKAGE CURRENT AND ELECTRIC 
STRENGTH 

This clause of Part | is applicable. 

17 OVERLOAD PROTECTION OF 
TRANSFORMERS AND ASSOCIATED CIRCUITS 
This clause of Part 1 is applicable. 


18 ENDURANCE 
This clause of Part | is not applicable. 


19 ABNORMAL OPERATION 


This clause of Part 1 is applicable except as follows. 
19.2 Not Applicable. 

19.3 Not Applicable. 

19.4 Addition: 


For open-outlet water heaters, flow switches and 
pressure switches that operate during the test of 11 are 
short-circuited, the water-control valve being adjusted 
to the most unfavourable position. 


NOTE 101 — The closed position of the valve can be the most 
unfavourable position. 


Flow switches and thermostats of closed water heaters 
are short-circuited and any pressure relief device 
rendered inoperative, the outlet valve being closed. 
However, if the appliance has no flow switch and back- 
siphonage is likely to occur, the water heater is filled 
with just sufficient water to cover the heating element 
and operated with the outlet valve open. 

NOTE 102 — Back-siphonage is not considered likely to occur 

if a non-return valve or a pipe interrupter is incorporated in the 


appliance or if the instructions state that a non-return valve has 
to be included in the installation. 


19.13 Addition: 


During the test of 19.4, the water container shall not 
rupture and the water temperature shall not exceed 
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a) 99°C, for open-outlet water heaters having a 
capacity exceeding | litre; 

b) 140°C, for closed water heaters having a 
capacity exceeding llitre. 


20 STABILITY AND MECHANICAL HAZARDS 
This clause of Part 1 is applicable. 


21 MECHANICAL STRENGTH 
This clause of Part 1 is applicable. 


22 CONSTRUCTION 


This clause of Part 1 is applicable except as follows. 


22.6 Addition: 


The enclosure shall have a drain hole positioned so 
that the water can drain without impairing the electrical 
insulation, unless water cannot accumulate within the 
enclosure in normal use. The hole shall be at least 5 
mm in diameter or 20 mm2 in area with a width of at 
least 3 mm. 


Compliance is checked by inspection and by 
measurement. 


22.47 Replacement: 


Appliances shall withstand the water pressure occurring 
in normal use. 


Compliance is checked by subjecting the appliance to 
a water pressure of 


a) Twice the rated pressure, for closed water 
heaters and ; 


b) 0.15 MPa, for open-outlet water heaters. 


If an open-outlet water heater incorporates a valve that 
regulates the water flow, a water pressure of 2 MPa is 
applied to the inlet of the appliance, the valve being closed. 


Pressure-relief devices are rendered inoperative. The 
pressure is raised at a rate of 0.13 MPa/s to the specified 
value and is maintained at that value for 5 min. 


Water shall not leak from the appliance and there shall 
be no permanent deformation to such an extent that 
compliance with this standard is impaired. 


22.48 Not Applicable. 
22.50 Addition: 


The requirement is not applicable provided the 
maximum temperature of the water from the system 
cannot exceed 55 °C in normal use. 


If the maximum temperature of the water from the 
system exceeds 55 °C in normal use then the 
requirement is not applicable provided that the system 
is such that a shower outlet normal use water 
temperature control takes precedence in setting the 
system temperature. In the case of systems with multiple 
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shower outlets, the shower with the lowest temperature 
setting shall take precedence, the other shower outlets 
taking precedence over non-shower outlets. 


22.101 The rated pressure of closed water heaters shall 
be at least 0.6 MPa. 


The rated pressure of closed water heaters intended to 
be supplied by a pressure reducing valve shall be at 
least 0.1 MPa. 


NOTE — The rated pressure of open-outlet water heaters is 
0 Pa. 


Compliance is checked by inspection. 


22.102 The outlet water of appliances other than those 
intended to supply water for showering shall not attain 
an excessive temperature due to a sudden pressure drop 
in the water supply. 


Compliance is checked by the following test. 


The appliance is operated at rated power input with 
the controls or switching devices adjusted to their most 
unfavourable possible setting to attain the maximum 
water temperature. Any regulating valve is fully opened 
and the water flow is adjusted so that the flow switch 
or the pressure switch is on the verge of operating. 


Any control devices that operate during the test of 11 
are short-circuited. The water flow is reduced in steps 
of 10 percent per minute until; 


a) for closed water heaters, the thermal cut-out 
incorporated to comply with 22.106 operates 
or steady conditions are established; and 


b) for open outlet water heaters, a non-self- 
resetting thermal cut-out operates or steady 
conditions are established. 


If the rupture of a heating element or an intentionally 
weak part leads to a permanent open circuit, the test is 
repeated on a second sample. This second test shall be 
terminated in the same mode unless the test is otherwise 
satisfactorily completed. 


22.103 Water heaters shall be supplied with a pressure 
relief device that prevents excessive pressure. 


Compliance is checked by inspection and by subjecting 
the appliance to a slowly increasing water pressure. 


The pressure relief device shall operate before the water 
pressure exceeds the rated pressure by more than 0.1 MPa. 


NOTE — The pressure relief device can be fitted during 
installation. 


22.104 The outlet of open-outlet water heaters shall 
be constructed so that the water flow is not limited to 
such an extent that the container is subjected to a 
significant pressure in normal use. 


Compliance is checked by inspection. 


The requirement is considered to be met, if the cross- 
sectional area of the water outlet is not less than that of 
the inlet. 


22.105 Open oulet water heaters incorporating a flow 
switch shall be constructed so that if there is no water 
flow, the heating element cannot be switched on, and it 
is switched off, if the water flow ceases. 


Compliance is checked by inspection and by manual 
test. 


However, if compliance with this subclause relies on 
the correct operation of an electronic circuit, the 
appliance is further tested as follows. 


a) The appliance is operated for one cycle. In 
addition, the electromagnetic phenomena tests 
of 19.11.4.1 to 19.11.4.7 are applied during 
the test. The tests are carried out with surge 
protective devices disconnected, unless they 
incorporate spark gaps. 


If there is no water flow, the heating element 
shall not be switched on, and it is switched 
off without delay if the water flow ceases. 


b) The appliance is operated for one cycle. The 
fault conditions in 19.11.2 are then considered 
and applied one at a time to the electronic 
circuit. 


If there is no water flow, the heating element shall not 
be switched on, and it is switched off without delay if 
the water flow ceases. 


One cycle consists of opening and closing of the water 
tap. 


If the electronic circuit is programmable, the software 
shall contain measures to control the fault/error 
conditions specified in Table R.1 and is evaluated in 
accordance with the relevant requirements of Annex R. 


22.106 Closed water heaters shall incorporate a 
thermal cut-out that operates independently from a 
thermostat or flow switch. It shall only be possible to 
reset the thermal cut-out after removal of a non- 
detachable cover. 


If the capacity does not exceed | litre and the appliance 
incorporates a flow switch, an alternative protective 
device, such as a pressure switch, may be used instead 
of the thermal cut-out. 


Compliance is checked by inspection. 


22.107 Water shall not attain an excessive temperature 
in normal use. 


Compliance is checked by the following test. 


The appliance is operated at rated power input. Any 
regulating valve is fully opened and the water flow is 


adjusted so that the flow switch or pressure switch or 
thermostat is on the verge of operating. 


The temperature of the outlet water shall not be higher 
than 95 °C and shall not exceed the temperature of the 
inlet water by more than 75 K. 


For appliances intended to supply water for showering 
the test is carried out under normal operation and with 
a water pressure of 0.2 MPa. The temperature of the 
water at the outlet shall not exceed 55 °C. 


22.108 The outlet water of appliances intended to 
supply water for showering shall not attain an excessive 
temperature due to a sudden pressure drop in the water 
supply. 

Compliance is checked by the following test. 


The appliance is supplied with water at a pressure of 
0.4 MPa. It is operated at rated power input with the 
regulating valve adjusted so that the outlet water 
temperature is 25 + 1 K above the inlet water 
temperature. The water pressure is then reduced to 0.2 
MPa within 1 s. 


The outlet water temperature shall not rise by more 
than 25 K within 10 s. 


The outlet water temperature is measured by means of 
a fine-wire thermocouple placed in the centre of a 
plastic cylindrical receptacle having a diameter of 
30 mm and a height of 12 mm. The receptacle is 
positioned 25 mm below the shower head. 


If compliance relies on the operation of an electronic 
circuit, the test is repeated under the following 
conditions applied separately; 


a) the fault conditions of 19.11.2 applied one at 
a time to the electronic circuit; 


b) the electromagnetic phenomena tests of 
19.11.4.1 to 19.11.4.7 applied to the appliance. 


The outlet water temperature shall not rise by more 
than 25 K within 10 s during or after each of the tests. 


If the electronic circuit is programmable, the software 
shall contain measures to control the fault/error 
conditions specified in Table R.1 and is evaluated in 
accordance with the relevant requirements of Annex R. 


22.109 Water containers of open-outlet water heaters 
having a pressure switch shall not rupture due to 
excessive internal pressure. 


Compliance is checked by inspection and for; 


a) appliances having a weak part that is ejected 
or ruptures when the pressure is excessive, by 
the test of 22.109.1; 


NOTE 1 — Examples of weak parts are diaphragms and plugs. 
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b) appliances having other means for relieving 
pressure, by the tests of 22.109.1 and 
22.109.3; 

c) appliances having heating elements that 
1) rupture before the internal pressure is 

excessive, or 
2) cannot be energized when the internal 


pressure is excessive, by the tests of 
22.109.2 and 22.109.3. 


After the tests, the appliance shall comply with 8 
and 16.2. 


NOTE 2 — The tests simulate a blocked outlet or frozen water 
in the container. 


22.109.1 The appliance is filled with water, the water 
outlet being sealed. The water pressure is then steadily 
increased. 


The weak part shall be ejected or rupture, or the 
pressure relief device operate, before the internal 
pressure reaches 1.1 MPa. 


After the pressure has been relieved, water is allowed 
to flow for a period of 1 min. 


22.109.2 The appliance is filled with water, the water 
outlet being sealed and the inlet valve closed. Controls 
are short-circuited or open-circuited, whichever is more 
unfavourable. The appliance is then operated at rated 
power input. 


The heating element shall rupture without causing a 
hazard unless it remains de-energized. 


If the heating element ruptures, the inlet valve is opened 
and the water pressure steadily increased until it reaches 
1.1 MPa. The pressure is maintained for 1 min. 


22.109.3 The appliance is filled with water, the water 
inlet and outlet being sealed. Controls are short- 
circuited or open-circuited, whichever is more 
unfavourable. 


The appliance is placed as in normal use in an 
ambient having a temperature not exceeding —5°C 
until the water is frozen. The appliance is then placed 
in the normal ambient and operated at rated power 
input. 


The heating element shall rupture without causing a 
hazard or any excessive pressure shall be relieved by 
means of a pressure relief device, unless the heating 
element remains de-energized. 


The appliance is switched off and allowed to reach room 
temperature. 


If the heating element remains de-energized or has 
ruptured, water is supplied through the inlet and the 
pressure is steadily increased until it reaches 1.1 MPa. 
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The pressure is maintained for | min. 


If a pressure relief device has operated, the appliance 
is connected to the water supply for a period of 1 min 
with the outlet still sealed. 


22.110 Appliances for wall-mounting shall have reliable 
provision for fixing to a wall, independent of the 
connection to the water mains. 


Compliance is checked by inspection. 


23 INTERNAL WIRING 
This clause of Part 1 is applicable. 


24 COMPONENTS 


This clause of Part 1 is applicable except as follows. 


24.1.3 Addition: 
Flow switches are tested for 50 000 cycles of operation. 


Pressure switches for open-outlet water heaters and 
pressure switches for appliances intended to supply 
water for showering only are tested for 20 000 cycles 
of operation. Pressure switches for other water heaters 
are tested for 50 000 cycles of operation. 


24.1.4 Addition: 


Thermal cut-outs incorporated in closed water heaters 
shall comply with the requirements for type 2B controls 
in Clauses 13, 15, 16, 17 and 20 of IS/IEC 60730-1, 
unless they are tested with the appliance. 


If a self-resetting thermal cut-out operates during the 
test of 22.107, the number of cycles of operation is 
increased to 


3 000, for waters heaters intended to supply water for 
showering; 


1 000, for other appliances. 


24.101 The thermal cut-out or other protective device 
incorporated to comply with 22.106 shall be non-self- 
resetting and, for multi-phase appliances, provide all- 
pole disconnection. 


Compliance is checked by inspection. 


24.102 The thermal cut-out or other protective device, 
incorporated for compliance with 22.106 in closed 
water heaters having a capacity not exceeding | litre, 
shall maintain its operating characteristics. 


Compliance is checked by the following test. 


The appliance is supplied at rated voltage and operated 
under normal operation but with any control that 
operates during the test of 11 short-circuited. The water 
flow is adjusted so that the temperature of the water 
increases by approximately 1 K / min. 


The thermal cut-out is caused to operate five times, the 
temperatures at which it operates are measured and the 
mean value determined. The thermal cut-out is 
subjected to 50 000 cycles of temperature fluctuation. 
Each cycle consists of a variation in temperature 
between the maximum value measured during the test 
of 22.107 and half this value. 


The thermal cut-out is then caused to operate 20 times 
and the mean value of the temperatures at which it 
operates shall not deviate by more than 20 percent from 
the mean value previously determined. 


If the protective device is sensitive to pressure, the 
appliance is not energized and is subjected to a slowly 
increasing water pressure. The mean operating pressure 
of the protective device is determined over five cycles. 
The protective device is subjected to 50 000 cycles of 
pressure fluctuation. Each cycle consists of a variation 
in pressure between the rated pressure of the appliance 
and half this value. 


The protective device is then caused to operate 20 times 
and the mean value of the pressures at which it operates 
shall not deviate by more than 20 percent from the mean 
value previously determined. 


25 SUPPLY CONNECTION AND EXTERNAL 
FLEXIBLE CORD 


This clause of Part 1 is applicable. 


26 TERMINALS 
CONDUCTORS 


FOR EXTERNAL 


This clause of Part 1 is applicable. 


27 PROVISION FOR EARTHING 


This clause of Part 1 is applicable except as follows. 


27.1 Addition: 


For Class I appliances, the sheath of the heating element 
shall be permanently and reliably connected to the 
earthing terminal, unless 


a) the container is provided with inlet and outlet 
pipes of metal, which are permanently and 
reliably connected to the earthing terminal, 
and 


b) other accessible metal parts of the container 
in contact with the water are permanently and 
reliably connected to the earthing terminal. 


28 SCREWS AND CONNECTIONS 
This clause of Part 1 is applicable. 


29 CLEARANCE, CREEPAGE DISTANCES AND 


SOLID INSULATION 

This clause of Part | is applicable. 

30 RESISTANCE TO HEAT AND FIRE 

This clause of Part 1 is applicable except as follows. 
30.2.2 Not applicable. 

31 RESISTANCE TO RUSTING 


This clause of Part 1 is applicable. 


32 RADIATION, TOXICITY AND SIMILAR 
HAZARDS 


This clause of Part 1 is applicable. 
101 TESTS 


101.1 Type Tests 


The tests specified in Table 101 shall constitute the type 
tests and shall be carried out on a sample selected 
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preferably at random from regular production lot (see 5.3). 
Before commencement of the tests, the water heater shall 
be visually examined and inspected of components, parts 
and their assembly, constructions, mechanical hazards, 
marking provision of suitable terminals for supply 
connections, earthing and the effectiveness screws and 
connection. The external surface finish shall be even and 
free from finishing defects. 


101.1.1 Criteria of Acceptance 


Sample shall successfully pass all the type tests for 
proving conformity with the requirements of the 
standard. If the sample fails in any of the type tests, the 
testing authority at its discretion, may call for fresh 
samples not exceeding twice the original number and 
subject them again to all tests or to the test (s) in which 
failure (s) had occurred. No failure should be permitted 
in the repeat tests (s). 


Table 101 Schedule of Type Tests 
(Clause 101.1) 


Sl Tests Ref to Clause 
No. 

(1) (2) (3) 
i) Protection against access to live parts 8 
ii) Power input and current 10 
ili) Heating 11 
iv) Leakage current and electric strength at operating temperature 13 
v) Transient over voltages 14 
vi) Moisture resistance 15 
vii) Leakage current and electric strength 16 
viii) | Overload protection of transformers and associated circuits 17 
ix) Abnormal operation 19 
x) Stability and mechanical hazards 20 
xi) Mechanical Strength 21 
xii) Construction 22 
xiii) Internal wiring 23 
xiv) | Components 24 
xv) Supply connection and external flexible cords 25 
xvi) Terminals for external conductors 26 
xvii) Provision for earthing 27 
xviii) | Screw and connections 28 
xix) Clearances, creepage distances and solid insulation 29 
xx) Resistance to heat and fire 30 
xxi) Resistance to rusting 31 
xxii) Radiation, toxicity and similar hazards 32 
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101.2 Acceptance Tests 


The following shall constitute the acceptance tests: 


SI Tests Ref to Clause 
No. 
0) (2) (3) 
i) Protection against access to 08 
live parts 
ii) Power input and current 10 
ili) Heating 11 
iv) Leakage current and electric 13 
strength at operating 
Temperature 
v) Moisture resistance 15 
vi) Leakage current and electric 16 
strength 
viii) Provision for ear thing 27 


NOTE — For the purpose of acceptance tests, the humidity 
treatment shall be done for 24 h while conducting the test 
for moisture resistance (see 15). 


101.2.1 A recommended sampling procedure for 
acceptance tests is given in Annex J of IS 302-1. 


101.3 Routine Test — The following shall constitute 
the routine tests: 


SI Test Ref to Clause 
No. 

0) 0) 0) 

i) Protection against 8 


access to live parts 
13.3.2 of IS 302-1 : 2008 
iii) Provision for 2T 

earthing 


ii) High voltage 


ANNEXES 


The annexes of Part 1 are applicable except as follows. 


ANNEX A 


(Informative) 


ROUTINE TESTS 


This annex of Part 1 is applicable except as follows. 


A-101 PRESSURE TEST 


The water container is subjected to a pressure test using 
a fluid. 


When a liquid is used, the pressure is 


a) for closed water heaters, 0.7 MPa for those 


having a rated pressure not greater than 
0.6 MPa, and 1.1 times rated pressure for 
others; 

b) for open-outlet water heaters, 0.05 MPa; 


When gas is used, these pressures may be reduced but 
are to be sufficient to reveal leakage. 


Leakage of the fluid is not to occur during the test. 
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ANNEX R 
(Informative) 


SOFTWARE EVALUATION 


R-0 Programmable electronic circuits requiring software 
incorporating measures to control the fault/error conditions 
specified in Table R.1 or Table R.2 shall be validated in 
accordance with the requirements in this annex. 


NOTE — Tables R.1 and R.2 are based on Table H.11.12.7 of 
IEC 60730-1 that is, for the purpose of this annex, divided in 
two tables, Table R.1 for general fault/error conditions and Table 
R.2 for specific fault/error conditions. 


R-1 Programmable electronic circuits using 
software 


Programmable electronic circuits requiring software 
incorporating measures to control the fault/error 
conditions specified in Table R.1 or Table R.2 shall be 
constructed so that the software does not impair 
compliance with the requirements of this standard. 


Compliance is checked by the inspections and tests, 
according to the requirements of this annex, and by 
examination of the documentation as required by this annex. 


R-2 Requirements for the architecture 


R-2.1 General 


Programmable electronic circuits requiring software 
incorporating measures to control the fault/error 
conditions specified in Table R.1 or Table R.2 shall 
use measures to control and avoid software-related 
faults/errors in safety-related data and safety-related 
segments of the software. 


Compliance is checked by the inspections and tests in 
R.2.2 to R.3.3.3 inclusive. 


R-2.1.1 Programmable electronic circuits requiring 
software incorporating measures to control the fault/ 
error conditions specified in Table R.2 shall have one 
of the following structures: 


— single channel with periodic self-test and 
monitoring (see IEC 60730-1, H.2.16.7); 

— dual channel (homogenous) with comparison 
(see IEC 60730-1, H.2.16.3); 

— dual channel (diverse) with comparison (see 
IEC 60730-1, H.2.16.2). 


NOTE 1— Comparison between dual channel structures may 
be performed by: 
e use of a comparator (see IEC 60730-1 
H.2.18.3), or 
e reciprocal comparison (see IEC 60730-1 
H.2.18.15). 
Programmable electronic circuits requiring software 
incorporating measures to control the fault/error 


conditions specified in Table R.1 shall have one of the 
following structures: 


— single channel with functional test (see 
IEC 60730-1, H.2.16.5); 

— single channel with periodic self-test (see 
IEC 60730-1, H.2.16.6); 


— dual channel without comparison (see 
IEC 60730-1, H.2.16.1). 


NOTE 2 — Software structures incorporating measures to 
control the fault/error conditions specified in Table R.2 are also 
acceptable for programmable electronic circuits with functions 
requiring software measures to control the fault/error conditions 
specified in Table R.1. 


Compliance is checked by the inspections and tests of 
the software architecture in R.3.2.2. 


R-2.2 Measures to control faults/errors 


R-2.2.1 When redundant memory with comparison is 
provided on two areas of the same component, the data 
in one area shall be stored in a different format from 
that in the other area (see software diversity, 
IEC 60730-1 H.2.18.19). 


Compliance is checked by inspection of the source code. 


R-2.2.2 Programmable electronic circuits with 
functions requiring software incorporating measures to 
control the fault/error conditions specified in Table R.2 
and that use dual channel structures with comparison 
shall have additional fault/error detection means (such 
as periodic functional tests, periodic self tests, or 
independent monitoring) for any fault/errors not 
detected by the comparison. 


Compliance is checked by inspection of the source code. 


R-2.2.3 For programmable electronic circuits with 
functions requiring software incorporating measures to 
control the fault/error conditions specified in Table R.1 
or Table R.2, means shall be provided for the 
recognition and control of errors in transmissions to 
external safety-related data paths. Such means shall take 
into account errors in data, addressing, transmission 
timing and sequence of protocol. 


Compliance is checked by inspection of the source code. 


R-2.2.4 For programmable electronic circuits with 
functions requiring software incorporating measures to 
control the fault/error conditions specified in Table R.1 
or Table R.2, the programmable electronic circuits 
shall incorporate measures to address the fault/errors 
in safety-related segments and data indicated in Table 
R.1 or Table R.2 as appropriate. 


Compliance is checked by inspection of the source code. 
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Table R.1 ° — General Fault/Error Conditions 


Component* Fault/error Acceptable measures ”* Definitions 
See IEC 60730-1 
1 Central processing unit 
(CPU) 
1.1 Registers Stuck at Functional test, or H.2.16.5 
periodic self-test using either: H.2.16.6 
— static memory test, or H.2.19.6 
— word protection with single bit redundancy H.2.19.8.2 
1.2 VOID 
1.3 Programme counter | Stuck at Functional test, or H.2.16.5 
periodic self-test, or H.2.16.6 
independent time-slot monitoring, or H.2.18.10.4 
logical monitoring of the programme sequence H.2.18.10.2 
2 Interrupt No interrupt Functional test, or H.2.16.5 
handling and or too time-slot monitoring H.2.18.10.4 
execution frequent 
interrupt 
3 Clock Frequency monitoring, or H.2.18.10.1 
time slot monitoring H.2.18.10.4 
Wrong 
frequency 
(for quartz 
synchronized 
clock: 
harmonics/ 
sub-harmonics 
only) 
4 Memory 
4.1 Invariable All single bit Periodic modified checksum, or H.2.19.3.1 
memory faults multiple checksum, or H.2.19.3.2 
word protection with single bit redundancy H.2.19.8.2 
4.2 Variable DC fault Periodic static memory test, or H.2.19.6 
memory word protection with single bit redundancy H.2.19.8.2 
4.3 Addressing Stuck at Word protection with single bit redundancy H.2.19.8.2 
(relevant to including the address 
variable and 
invariable 
memory) 
5 Internal data path Stuck at Word protection with single bit redundancy H.2.19.8.2 
5.1 VOID 
5.2 Addressing Wrong address Word protection with single bit redundancy including the address H.2.19.8.2 
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Table R. 1 — (Concluded) 


Component * Fault/error Acceptable measures ™° Definitions 
See IEC 60730-1 


6 External Hamming distance 3 | Word protection with multi-bit redundancy, or CRC — single H.2.19.8.1 
communication word , or H.2.19.4.1 


transfer redundancy, or H.2.18.2.2 
protocol test H.2.18.14 


6.1 VOID 
6.2 VOID 


6.3 Wrong point in time | Time-slot monitoring, or H.2.18.10.4 
Timing scheduled transmission H.2.18.18 


Time-slot and logical monitoring, or H.2.18.10.3 


comparison of redundant communication channels by either: 


— reciprocal comparison H.2.18.15 
— independent hardware comparator H.2.18.3 
Wrong Logical monitoring, or H.2.18.10.2 
sequence time-slot monitoring, or H.2.18.10.4 
scheduled transmission H.2.18.18 
7 Input/output Fault Plausibility check H.2.18.13 


periphery conditions 
specified in 
19.11.2 


7.1 VOID 
7.2 Analog I/O 


7.2.1 A/D- and Fault conditions Plausibility check H.2.18.13 
D/A- convertor 


specified 
in 19.11.2 


7.2.2 Analog Wrong addressing Plausibility check H.2.18.13 
multiplexer 


8 VOID 
9 Custom Any output Periodic self test 


chips d outside the 
e.g. ASIC, static and 
GAL, gate dynamic 
array functional 


specification 


NOTE — A Stuck-at fault model denotes a fault model representing an open circuit or a non-varying signal level. A DC fault model 
denotes a stuck-at fault model incorporating short circuits between signal lines. 


For fault/error assessment, some components are divided into their sub-functions. 

For each sub-function in the table, the Table R.2 measure will cover the software fault/error. 
Where more than one measure is given for a sub-function, these are alternatives. 

To be divided as necessary by the manufacturer into sub-functions. 

Table R.1 is applied according to the requirements of R.1 to R.2.2.9 inclusive. 
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Table R.2 ° — Specific Fault/Error Conditions 


Component ° Fault/error Acceptable measures ™ ° Definitions 
See IEC 60730-1 


1 Central Processing 
Unit (CPU) 


1.1 Registers DC fault Comparison of redundant CPUs by either: 

— reciprocal comparison H.2.18.15 
— independent hardware comparator, or H.2.18.3 

internal error detection, or H.2.18.9 

redundant memory with comparison, or H.2.19.5 

periodic self-tests using either 

—  walkpat memory test H.2.19.7 

— Abraham test H.2.19.1 

— transparent GALPAT test; or H.2.19.2.1 
word protection with multi-bit redundancy, or H.2.19.8.1 
static memory test and H.2.19.6 

word protection with single bit redundancy H.2.19.8.2 


1.2 Instruction Wrong Comparison of redundant CPUs by either: 


decoding and decoding — reciprocal comparison H.2.18.15 


execution and execution — independent hardware comparator, or H.2.18.3 


internal error detection, or H.2.18.9 
periodic self-test using equivalence class test H.2.18.5 


1.3 Programme DC fault Periodic self-test and monitoring using either: H.2.16.7 
counter 


— independent time-slot and logical monitoring H.2.18.10.3 
— internal error detection, or H.2.18.9 


comparison of redundant functional channels by either: 


— reciprocal comparison H.2.18.15 
— independent hardware comparator H.2.18.3 
1.4 Addressing DC fault Comparison of redundant CPUs by either: 
— reciprocal comparison H.2.18.15 
— independent hardware comparator; or H.2.18.3 
internal error detection; or H.2.18.9 
periodic self-test using H.2.16.7 
—a testing pattern of the address lines; or H.2.18.22 
—a full bus redundancy H.2.18.1.1 
—a multi bus parity including the address H.2.18.1.2 
1.5 Data paths DC fault Comparison of redundant CPUs by either: 
instruction and — reciprocal comparison, or H.2.18.15 
decoding execution — independent hardware comparator, or H.2.18.3 
— internal error detection, or H.2.18.9 
— periodic self-test using a testing pattern, or H.2.16.7 
— data redundancy, or H.2.18.2.1 
— multi-bit bus parity H.2.18.1.2 
2 Interrupt handling | No interrupt Comparison of redundant functional 
and execution 
or too channels by either 
frequent — reciprocal comparison, H.2.18.15 
interrupt — independent hardware comparator, or H.2.18.3 
related to — independent time-slot and logical monitoring H.2.18.10.3 


different sources 
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Component * 


Fault/error 
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Table R. 2 — (Continued): 


Definitions 
See 
IEC 60730-1 


Acceptable measures ™ © 


3 Clock 


4. Memory 


Wrong 
frequency 
(for quartz 
synchronized 
clock: 
harmonics/ 
subharmonics 


only) 


Frequency monitoring, or H.2.18.10.1 


time-slot monitoring, or H.2.18.10.4 
comparison of redundant functional channels 
by either: 


— reciprocal comparison 


— independent hardware comparator 


4.1 
Invariable 


memory 


4.2 Variable 


memory 


99,6 % 
coverage of 
all information 


errors 


DC fault 
and dynamic 


cross links 


Comparison of redundant CPUs by either: 
— reciprocal comparison 

— independent hardware comparator, or 
redundant memory with comparison, or 
periodic cyclic redundancy check, either 
— single word 

— double word, or 

word protection with multi-bit redundancy 


Comparison of redundant CPUs by either: 


— reciprocal comparison H.2.18.15 
— independent hardware comparator, or H.2.18.3 
redundant memory with comparison, or H.2.19.5 


periodic self tests using either: 


—  walkpat memory test H.2.19.7 
— Abraham test H.2.19.1 
— transparent GALPAT test, or H.2.19.2.1 
word protection with multi-bit redundancy H.2.19.8.1 
4.3 Addressing DC fault Comparison of redundant CPUs by either: 
(relevant to — reciprocal comparison, or H.2.18.15 
variable and — independent hardware comparator, or H.2.18.3 
invariable full bus redundancy H.2.18.1.1 
memory) testing pattern, or H.2.18.22 
periodic cyclic redundancy check, either: 
— single word H.2.19.4.1 
- double word, or H.2.19.4.2 
word protection with multi-bit redundancy including the H.2.19.8.1 
address 
5 Internal data path 
5.1 Data DC fault Comparison of redundant CPUs by either 


— reciprocal comparison H.2.18.15 
— independent hardware comparator, or H.2.18.3 

word protection with multi-bit redundancy H.2.19.8.1 
including the address, or data redundancy, or H.2.18.2.1 
testing pattern, or H.2.18.22 
protocol test H.2.18.14 
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Table R. 2 — (Continued)* 


testing pattern 


Component * Fault/error Acceptable measures ™ ° Definitions 
See 
IEC 60730-1 
5.2 Addressing Wrong Comparison of redundant CPUs by: 
address and — reciprocal comparison H.2.18.15 
multiple — independent hardware comparator, or H.2.18.3 
addressing word protection with multi-bit redundancy, including the H.2.19.8.1 
address, or full bus redundancy; or testing pattern H.2.18.1.1 
including the address H.2.18.22 
6 External 
communication 
6.1 Data Hamming distance | CRC — double word, or H.2.19.4.2 
4 
data redundancy or H.2.18.2.1 
comparison of redundant functional channels by either: 
— reciprocal comparison H.2.18.15 
— independent hardware comparator H.2.18.3 
6.2 Addressing Wrong Word protection with multi-bit redundancy, H.2.19.8.1 
address including the address, or CRC single word H.2.19.4.1 
including the addresses, or 
transfer redundancy or H.2.18.2.2 
protocol test H.2.18.14 
Wrong and CRC — double word, including the address, or H.2.19.4.2 
multiple full bus redundancy of data and address, or H.2.18.1.1 
addressing comparison of redundant communication channels by 
either: 
— reciprocal comparison H.2.18.15 
— independent hardware comparator H.2.18.3 
6.3 Timing Wrong point in Time-slot monitoring, or H.2.18.10.4 
time scheduled transmission H.2.18.18 
7 Input/output 
periphery 
7.1 Fault Comparison of redundant CPUs by either: 
Digital 1/0 conditions — reciprocal comparison H.2.18.15 
specified in — independent hardware comparator, or H.2.18.3 
19.11.2 input comparison, or H.2.18.8 
multiple parallel outputs, or H.2.18.11 
output verification, or H.2.18.12 
testing pattern, or H.2.18.22 
code safety H.2.18.2 
7.2 Analog I/O 
7.2.1 A/D- and Fault 
D/A- convertor conditions 
specified Comparison of redundant CPUs by either: 
in 19.11.2 — reciprocal comparison H.2.18.15 
— independent hardware comparator, or H.2.18.3 
input comparison, or H.2.18.8 
multiple parallel outputs, or H.2.18.11 
output verification, or H.2.18.12 
testing pattern H.2.18.22 
7.2.2 Analog Wrong addressing | Comparison of redundant CPUs by either: H.2.18.15 
multiplexer — reciprocal comparison H.2.18.3 
— independent hardware comparator, or 
H.2.18.8 
input comparison or H.2.18.22 


14 


IS 302-2-35 : 2017 


Table R. 2 — (Concluded) 


Component ° Fault/error Acceptable measures ™ ° Definitions 
See 
IEC 60730-1 
8 Monitoring Any output outside | Tested monitoring, or H.2.18.21 
devices and the static and redundant monitoring and comparison, or H.2.18.17 
comparators dynamic functional | error recognizing means H.2.18.6 
specification 
9 Custom Any output Periodic self-test and monitoring, or H.2.16.7 
chips d outside the dual channel (diverse) with comparison, or H.2.16.2 
e.g. ASIC, static and error recognizing means H.2.18.6 
GAL, gate dynamic 
array functional 
specification 


NOTE — A DC fault model denotes a stuck-at fault model incorporating short circuits between signal lines. 


4 For fault/error assessment, some components are divided into their sub-functions. 

b For each sub-function in the table, the software measure will cover the Table R.1 fault/error. 
© Where more than one measure is given for a sub-function, these are alternatives. 

d To be divided as necessary by the manufacturer into sub-functions. 


€ Table R.2 is applied according to the requirements of R.1 to R.2.2.9 inclusive, only if required by a part 2. 


R-2.2.5 For programmable electronic circuits with 
functions requiring software incorporating measures to 
control the fault/error conditions specified in Table R.1 
or Table R.2, detection ofa fault/error shall occur before 
compliance with Clause 19, 22.105 and 22.108 is 
impaired. 


R-2.2.6 The software and safety-related hardware 
under its control shall be initialized and shall terminate 
before compliance with Clause 19, 22.105 and 22.108 
is impaired. 


R-2.2.7 Where labels are used for memory locations, 
these labels shall be unique. 


Compliance is checked by inspection of the source 
code. 


R-2.2.8 The software shall be protected from user 
alteration of safety-related segments and data. 


Compliance is checked by inspection of the source 
code. 


R-2.2.9 The software and safety-related hardware 
under its control shall be initialized and shall terminate 
before compliance with 19 is impaired. 


Compliance is checked by testing of the source code. 
R-3 MEASURES TO AVOID ERRORS 
R-3.1 General 


For programmable electronic circuits with functions 
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requiring software incorporating measures to control 
the fault/error conditions specified in Table R.1 or 
Table R.2, the following measures to avoid systematic 
faults in the software shall be applied. 


Software that incorporates measures used to control 
the fault/error conditions specified in 


Table R.2 is inherently acceptable for software required 
to control the fault/error conditions specified in 
Table R.1. 


NOTE — The content of these requirements is extracted from 
IEC 61508-3 and adapted to the needs of this Standard. 


R-3.2 Specification 
R-3.2.1 Software Safety Requirements 


The specification of the software safety requirements 
shall include: 


— a description of each safety related function 
to be implemented, including its response 
time(s): 

e functions related to the application 
including their related software faults 
required to be controlled; 

e functions related to the detection, 
annunciation and management of 
software or hardware faults; 

— a description of interfaces between software 
and hardware; 
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a description of interfaces between any safety 
and non-safety related functions; 

a description of any compiler used to generate 
the object code from the source code, 
including details of any compiler switch 
settings used such as library function options, 
memory model, optimization, SRAM details, 
clock rate and chip details; 

a description of any linker used to link the 
object code to executable library routines. 
Compliance is checked by inspection of the 
documentation and as specified in R.3.2.2.2. 


NOTE — Examples of some techniques/measures to meet these 
requirements can be found in Table R.3. 


Table R.3 - Semi-formal methods 


Technique / Measure Informative references 


Semi-formal methods 


Logical/ block diagrams 


Sequence diagrams 
IEC 61508-7, B.2.3.2 
IEC 61508-7, C.6.1 


Finite state machines/state 
transition diagrams 


Decision/truth tables 


R-3.2.2 Software architecture 


R-3.2.2.1 The specification of the software architecture 
shall include the following aspects: 


techniques and measures to control software 
faults/errors (refer to R.2.2); 


interactions between hardware and software; 


partitioning into modules and their allocation 
to the specified safety functions; 


hierarchy and call structure of the modules 
(control flow); 


interrupt handling; 
data flow and restrictions on data access; 
architecture and storage of data; 


time-based dependencies of sequences and 
data. 


Compliance is checked by inspection of the 
documentation and as specified in R.3.2.2.2. 


NOTE — Examples of some techniques/measures to meet these 
requirements can be found in Table R.4. 


Table R.4 - Software Architecture Specification 
Technique / Measure Informative 
references 


Fault detection and diagnosis IEC 61508-7, C.3.1 


Semi-formal methods: 


e Logic/function block diagrams 
e Sequence diagrams 
e Finite state machines / state 


IEC 61508-7, B.2.3.2 
IEC 61508-7, C.2.2 


transition diagrams 
e — Data flow diagrams 
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R-3.2.2.2 The architecture specification shall be 
validated against the specification of the software 
safety requirements by static analysis. 


NOTE— Example methods for static analysis are: 


e control flow analysis; (IEC 61508-7, C.5.9); 
e data flow analysis; (IEC 61508-7, C.5.10); 
eè  walk-throughs/design reviews. (IEC 61508-7, 


C.5.16). 
R-3.2.3 Module Design and Coding 


R-3.2.3.1 Based on the architecture design, software 
shall be suitably refined into modules. Software module 
design and coding shall be implemented in a way that 
is traceable to the software architecture and 
requirements. 


Compliance is checked by R.3.2.3.3 and by inspection 
of the documentation. 
NOTE 1 — The use of computer aided design tools is accepted. 


NOTE 2 — Defensive programming (IEC 61508-7, Subclause 
C.2.5) is recommended (e.g. range checks, check for division 
by 0, plausibility checks). 


NOTE 3 — The module design shall specify: 


e function(s), 
© interfaces to other modules, 
e data. 


NOTE 4 — Examples of some techniques/measures to meet 
these requirements can be found in Table R.5. 


Table R.5 - Module Design Specification 


Informative 
references 


IEC 61508-7, C.2.9 
IEC 61508-7, C.2.8 
IEC 61508-7, C.2.9 


Technique / Measure 


Limited size of software modules 


Information hiding / encapsulation 


subroutines and functions 


Fully defined interface 


Semi-formal methods: 
Logic/function block diagrams 
Sequence diagrams 
Finite state machines / 
transition diagrams 
Data flow diagrams 


One entry / one exit point in 


IEC 61508-7, C.2.9 


state 
IEC 61508-7, B.2.3.2 


IEC 61508-7, C.2.2 


R-3.2.3.2 Software code shall be structured. 


Compliance is checked by R-3.2.3.3 and by inspection 
of the documentation. 


NOTE 1 Structural complexity can be minimized by applying 
the following principles: 


© keep the number of possible paths through a 
software module small, and the relation 
between the input and output parameters as 
simple as possible; 

e avoid complicated branching and, in 


particular, avoid unconditional jumps (GOTO) 
in higher level languages; 


e where possible, relate loop constraints and 
branching to input parameters; 
e avoid using complex calculations as the basis 


of branching and loop decisions. 


NOTE 2 Examples of some techniques/measures to meet these 
requirements can be found in Table R.6. 


Table R.6 - Design and Coding Standards 


Informative 
references 


IEC 61508-7, C.2.6.2 


Technique / Measure 


Use of coding standard 
(see NOTE) 


No use of dynamic objects and| IEC 61508-7, C.2.6.3 
variables (see NOTE) 


Limited use of interrupts IEC 61508-7, C.2.6.5 
IEC 61508-7, C.2.6.6 
IEC 61508-7, C.2.6.7 


IEC 61508-7, C.2.6.2 


NOTE — Dynamic objects and/or variables are allowed if 
a compiler is used which ensures that sufficient memory 
for all dynamic objects and/or variables will be allocated 
before runtime, or which inserts runtime checks for the 
correct online allocation of memory. 


R-3.2.3.3 Coded software shall be validated against 
the module specification by static analysis. The module 
specification shall be validated against the architecture 
specification by static analysis. 
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R-3.3.3 Software validation 


The software shall be validated with reference to the 
requirements of the software safety requirements 
specification. 


NOTE 1 — Validation is confirmation by examination and 
provision of objective evidence that the particular requirements 
for a specific intended use are fulfilled. Therefore, for example, 
software validation means confirming by examination and 
provision of objective evidence that the software satisfies the 
software safety requirements specification. 


Compliance is checked by simulation of 


input signals present during normal operation, 


anticipated occurrences, 


undesired conditions requiring system action. 
Test cases, test data and test results shall be reported. 


NOTE 2 — Examples of some techniques/measures to meet 
these requirements can be found in Table R.7. 


Table R.7 - Software Safety Validation 


Informative 
references 


IEC 61508-7, B.5.1, B.5.2 


IEC 61508-7, C.5.4 
IEC 61508-7, C.5.18 


Technique / Measure 
Functional and black-box 
testing: 

e Boundary value analysis 
e Process simulation 


Simulation, modelling: 
e Finite state machines 
e Performance modelling 


IEC 61508-7, B.2.3.2 
IEC 61508-7, C.5.20 


NOTE 3 — Testing should be the main validation method for 
software; modelling may be used to supplement the validation 
activities. 


(Continued on second cover) 


NOTE — The following numbering system is used: 
a) Subclauses, tables and figures that are numbered starting from 101 are additional to those in Part 1; 


b) Unless notes are in a new subclause or involve notes in Part 1, they are numbered starting from 101, including those in a 
replaced clause or subclause; 


c) Additional annexes are lettered AA, BB, etc. 
This standard is based on IEC 60335-2-35 : 2012 (Ed. 5.0). As this standard refers to IS 302-1, the differences of 


IS 302-1 from IEC 60335-1 shall apply. Apart from that, this standard differs from IEC 60335-2-35 as regards 
bare element heating elements, which are not permitted as per this Indian standard. 


The principal changes in this revision are as follows (minor changes are not listed): 


a) Converted notes to normative text (See 7.12, 7.102, 8.1.5, 22.104, and 22.109.3); 
b) Deleted notes in 19.13, 22.109, and A.101; 

c) Added Annex R and 22.108 for appliances with programmable electronic circuits; 
d) Added requirements for water heaters (See 22.50 and 22.51). 


For the purpose of deciding whether a particular requirement of this standard is complied with, the final value, 
observed or calculated expressing the result ofa test or analysis, shall be rounded off in accordance with IS 2 : 1960 
‘Rules for rounding off numerical values (revised)’. The number of significant places retained in the rounded off 
value should be the same as that of the specified value in this standard. 
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harmonious development of the activities of standardization, marking and quality certification of goods 
and attending to connected matters in the country. 
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